Table of Contents
ClusterControl comes with an advanced user management system, managed by ClusterControl Controller (cmon) service. Every operation initiated by ClusterControl clients (GUI or CLI) is associated with a user. A user must be authenticated with the controller service before performing any operation.
ClusterControl supports private/public key and password authentication. All users’ activities are logged and accessible via the Audit Log, available under the Activity center section. A user can be disabled or enabled by anyone in the admins group.
Create user or team
Opens a dialog to create a user or a team. From here you may choose to Create user or Create team.
Create user
To create a user, fill up all the following information:
Field | Description |
---|---|
Details | |
First name |
|
Last name |
|
Username |
|
Password |
|
|
|
Timezone |
|
Team | |
Team |
|
The username “admin” is reserved for ClusterControl internal usage. It is a system user and is not intended to be used by anyone.
You can also create a ClusterControl user by using the command-line interface (CLI). See s9s-user.
Create team
Teams group users. Each team may consist of zero or more users. A single user may be a part of one team. Teams may be assigned to zero or more clusters.
When creating a team, the primary team where the user who creates it belongs, will be the team owner. Only the team owner is allowed to delete or modify the team. Only the owner’s team is allowed to delete the cluster. All clusters created by a specific user also belong to the same team.
To create a team, fill up the following information:
Field | Description |
---|---|
Details | |
Team name |
|
Users | |
Users |
|
Password |
|
Permissions | |
Permissions |
|
Team | |
Team |
|
By default ClusterControl creates two teams: “admins” and “users”. There is also a hidden team for internal usage called “nobody”.
You can also create a ClusterControl group by using the command-line interface (CLI). See s9s-user.
Cluster-Level Permissions
ClusterControl uses access control to restrict access to clusters and their respective deployment, management, and monitoring features. Access control defines privileges and permissions for a specific team. This ensures that only authorized user requests are allowed.
There are 3 types of access levels for clusters:
Permission | Description |
---|---|
Manage |
|
View |
|
No access |
|
LDAP
ClusterControl supports integration with directory services like Active Directory, FreeIPA, and OpenLDAP authentication. This allows users to log into ClusterControl by using their corporate credentials instead of a separate password. LDAP groups can be mapped onto ClusterControl user groups to apply privileges to the entire group. This would ensure that ClusterControl authorizes the logged-in user based on the group assigned. It supports up to the LDAPv3 protocol based on RFC2307.
To integrate with a directory service, one has to perform the following steps:
- Fill up the LDAP Settings configuration wizard.
- Save the settings. At this point, LDAP is saved but not activated because no group mapping has been created yet.
- Create at least one group mapping entry by going to Map LDAP Group.
- Enable the LDAP authentication by toggling ON the LDAP Settings → Enable LDAP Authentication.
- Log in to ClusterControl by using the value of Username Attributes with the respective password. The user will be authenticated and redirected to the ClusterControl dashboard page based on the assigned group.
- From this point, both ClusterControl and LDAP authentications would work.
The last entry of the group mapping can not be deleted while LDAP authentication is enabled and activated. To delete the last entry, set Enable LDAP Authentication to OFF and you will notice the Remove Group button is no longer greyed out, allowing you to remove the last group mapping entry.
LDAP Settings
Field | Description |
---|---|
General Settings | |
Enable LDAP Authentication |
|
LDAP/LDAPS URI |
|
Login DN |
|
Login DN Password |
|
User Base DN |
|
Group Base DN |
|
Advanced Settings | |
User Base Filter |
|
Username Attributes |
|
Real Name Attributes |
|
Email Attributes |
|
Group Base Filter |
|
Static Member Attributes |
|
Group Mapping Attributes |
|
Group Name Attributes |
|
Network Timeout |
|
Protocol Version |
|
Time Limit |
|
SSL/TLS Settings | |
CA Cert File |
|
Certificate File |
|
Key File |
|
Map LDAP Group
ClusterControl requires at least one LDAP group mapping entry to be defined before the LDAP authentication can be activated. Otherwise, ClusterControl would only save the LDAP settings without activating them.
To create a group mapping, click on the Map LDAP Group button. Pick an existing team from the dropdown and specify the value of the LDAP’s Group Name Attributes that you want to be mapped with the ClusterControl team. After creating the first entry, you may proceed to activate the LDAP authentication by going to LDAP Settings → Enable LDAP Authentication.
All LDAP configurations and mappings will be stored inside this configuration file, /etc/cmon-ldap.cnf
. It is recommended to configure LDAP settings and group mappings via the ClusterControl UI because any changes to this file will require a reload to the controller process, which is triggered automatically when configuring LDAP via the UI. You may also make direct modifications to the file, however, you have to reload the cmon service manually by using the systemctl restart cmon
command, or service cmon restart
.
Field | Description |
---|---|
Map LDAP Group |
|
Remove Group |
|
Edit Group |
|